WhatsApp seems to be full of vulnerabilities these days. At first, it tried to steal your banking information through a malware in WhatsApp’s update, now it seems that you can crash specific users’ apps by sending them a whole bunch of emojis.
5,000 emojis to be precise.
Researcher Indrajeet Bhuyan reveals that people can cause Android versions of the WhatsApp application to crash by sending them at least 5,000 emojis from the web version of WhatsApp. When a user receives the application and tries to open it, the whole app would crash.
The only way to recover from that is to delete the entire conversation. Through our experimentation, it does indeed work. When we tried to open the “malicious” message, sure enough, our application crashed and we had to close and restart it before we could access the app again.
However, the other conversations were unaffected by the malicious thread, so as long as you leave that conversation alone it won’t crash the application. This also works for group chats. The only way to access that conversation again is to delete the entire thread and start a new conversation with that contact.
That said, if you have 4GB of RAM like we did on our Oppo R7s, you can have varying degrees of success in opening the thread again though you would have to wait awhile. This vulnerability does not extend to the iOS version of WhatsApp as the emojis only cause the app to lag, unlike a previous iOS vulnerability that relied on a specific message.
Although WhatsApp does have a character limit of 6,000 — to prevent messages that the application cannot handle — it seems that this still far too many as a mere 5,000 emojis will kill the app.
When talking about the potential exploits of having such a vulnerability, Bhuyan says that an attacker could be sending abusive messages to their victim, blackmailing or threatening them, then send them 5,000 emojis to crash that thread and make it so that the victim can’t access the thread for evidence again.
Let’s hope WhatsApp (or Facebook) pushes out a fix for this soon before people with bad intentions catch on and start abusing this.
